BitTorrent & copy wright violation notifications from IP-Echelon
-
The notification has an IP address. If you don't know what client had that IP at the time of the notification, I can't help you.
-
What I want to do is identify the clients that are using or are most likely using BitTorrents and assign them a virtual public IP. Only thought on blocking is to get them to tell me they are having trouble with downloads or file sharing and thereby letting me know which clients to give the virutal IPs to. I don't intend to stop or monitor the BitTorrent just give them an IP.
Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log. Maybe that will help identify them.
-
The notification has an IP address. If you don't know what client had that IP at the time of the notification, I can't help you.
Unfortunately, its his WAN interface IP he's NATting these torrenters to.
-
Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log. Maybe that will help identify them.
This sounds like a workable solution which is likely to find the majority of the clients I'm looking for. Unfortunately I know no more about writing these rules than I so about snort. But this sounds like something I can research and learn…
Pfsense is versatile and powerful. Even though I've used it for 5 years I feel like I only have a minimum knowledge and consider myself fortunate to be able to get it to do what I need. Now that I need it to do more, I'll have to learn more. And that's a good thing.
-
so how about this:
Don't the BitTorrents normally make multiple connections?
Perhaps something can be done to find these multiple connections?
IDK -
…and only has IP common to my bridged network. In this case the IP on the notification is the same as the WAN interface on my pfsense, with no current way for me to determine which client is causing the notification.
So why do you only have a home user design if you're an ISP?
Isn't the ability to, if necessary, track who did what a part of being an ISP?
What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?
You're at least not helped by only adding BT-traffic logging at that point… ???
-
What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?
No idea what country OP is in but here in the US we don't have mandatory records retention for ISPs.
You can't give them what you don't have. You can truthfully testify you don't have it.
-
I too am beginning to scrutinize my network traffic for various reasons. The approach I'm taking is to buy a switch to do port replication on my WAN ports and funnel that traffic to a Security Onion installation to process all of the data packets. My traffic is nowhere near yours, and the more bandwidth you consume the more infrastructure requirements Security Onion has (disk and RAM primarily).
This way I can inspect and classify all of the packets going across my network and run some metrics. I'll know the disposition of all seven layers and can then start scrutinizing traffic very granularly. In your situation, the Wireshark part of Security Onion should be able to tell you where torrent traffic is originating from and when.
Security Onion is a collection of integrated tools in an Ubuntu distribution.
-
@P3R:
What do you do when one of your users engage in more serious criminality and you ARE required by a court order to identify them?
IF I get a court order I will comply.
-
How if you have no idea what customer is on what IP address?
I'm not saying not knowing is a bad thing, but I like to know what's going on with my networks.
Knowing what's going on and keeping logs longer than necessary for troubleshooting are two different issues. ;)
-
Ok…what if you wrote a PASS rule on your LAN interface for TCP traffic destined for any IP on ports 6881-6999 and set it to log. Maybe that will help identify them.
This sounds like a workable solution which is likely to find the majority of the clients I'm looking for. Unfortunately I know no more about writing these rules than I so about snort. But this sounds like something I can research and learn…
Pfsense is versatile and powerful. Even though I've used it for 5 years I feel like I only have a minimum knowledge and consider myself fortunate to be able to get it to do what I need. Now that I need it to do more, I'll have to learn more. And that's a good thing.
